In general, in fields which require information security, a method using mutually shared information and an encryptor, is adopted as means for certifying one's own authenticity.
For example, in an IC card (SmartCard), etc., which are used for electronic settlement, an ID and secret information for individualizing the IC card are stored in an IC in the card, and the IC card has a cipher processing function for executing authentication based on the ID and secret information. In another example, an authentication method is specified in Content Protection for Recordable Media (CPRM) as means for certifying authenticity of an SD® card in protection of copyrighted contents.
When a security system for, e.g. authentication is constructed, it is necessary to assume a case in which a device which executes the process of the authentication is attacked, and hidden information is extracted. It is important to revoke the extracted hidden information. In the above-described CPRM or in Advanced Access Content System (AACS) that is a protection technique specified for protecting content recorded in a Blu-ray Disc, use is made of Media Key Block (MKB) for revoking a device key that is hidden information. In another method adopting a protocol based on public key cryptosystem, use is made of a list (Revocation List) of a public key certificate, which is paired with leaked private key information.
Taking, as an example, a system of playing back video data, which is recorded in an SD® card, by video playback software that is installed in a PC, a CPRM process is implemented in the SD® by hardware, and it is very difficult to unlawfully extract hidden information. Compared to this, in many cases, it is easier to extract hidden information from the playback software as a method of an attack. Actually, many software items for unlawfully decoding protected DVD or Blu-ray video content have been available. In such unlawful software, hidden information, which is extracted from an authentic software player, is utilized.
In addition, in some cases, it is necessary to take countermeasures against card-falsifying software or a false SD card. For example, an imitative SD® card in disguise is produced by using hidden information extracted from software, thereby to deceitfully use an authentic software player. For instance, a false SD® card is produced such that an encryption key, which was used in encryption of content, can be easily read out from the false SD® card. Thereby, it becomes possible to easily decode the video content recorded in the false SD® card, by using an authentic video recorder.
An authenticator may be provided not only as a dedicated hardware device such as a consumer device, but also as a program (software) which is executable in a PC (personal computer) or the like, and, in some cases, the software functions as a substantial authenticator. On the other hand, an authenticatee is, for instance, recording media or the like. Even in the case where a program called “firmware” mediates in the operation of hardware which constitutes the recording media, an important process or information is stored in a hidden state in hardware in the cell array. Thus, in reality, for example, in the case where software which is executed on the PC is the authenticator, there is concern that the tamper-resistance (the resistance to attacks) becomes lower, compared to the authenticatee such as recording media.
Thus, there is concern that, by attacking an authenticator with a low tamper-resistance, secret information hidden in an authenticatee with a high tamper-resistance is also exposed, leading to a disguise as a device with a high tamper-resistance. As described above, there is a trend that a demand is increasing for the prevention of unlawful use of secret information.
In addition, in recent years, such a demand is strong even in an environment in which restrictions are also imposed on circuit scales, for example, in an environment in which hardware implementation of a public key cryptosystem process or an MKB process, which requires a relatively large circuit scale, is difficult to achieve.